cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus <shadow...@gmail.com>
Subject Re: [DISCUSS] Changing the way password reset works, or allowing the cloud-init way
Date Wed, 27 Aug 2014 02:47:48 GMT
We had set up an agent in the VM that listens on the virtio serial port,
similar to how the virtual router gets its configurations now in KVM. Host
to guest communication is an option, and is fairly standardized (qemu guest
agent, VMware tools, xen tools). It takes a little more work to write a
daemon, but you could do a lot more with it.

  I'm not entirely convinced the current design is broken enough to warrant
a redesign (or at least I wouldn't want to see compatibility go away).
On Aug 26, 2014 6:51 PM, "Chiradeep Vittal" <Chiradeep.Vittal@citrix.com>
wrote:

> The current design is “OK”, not great. Looking for suggestions to make it
> more secure. E.g.,:
>
>   *   HTTPS
>   *   Client authentication
>
> Another idea might be to attach a volume to the VM with the password, but
> hot plug detection varies widely from OS/Hypervisor combinations.
> HTTP(s) is the lowest common denominator, but it has some trade-offs.
>
> From: John Kinsella <jlk@stratosec.co<mailto:jlk@stratosec.co>>
> Reply-To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <
> dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>>
> Date: Tuesday, August 26, 2014 at 4:04 PM
> To: "dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>" <
> dev@cloudstack.apache.org<mailto:dev@cloudstack.apache.org>>
> Subject: Re: [DISCUSS] Changing the way password reset works, or allowing
> the cloud-init way
>
>
> On Aug 26, 2014, at 1:34 PM, Erik Weber <terbolous@gmail.com<mailto:
> terbolous@gmail.com>> wrote:
> If I understand correctly, we currently deploy a web server on port 8080 on
>
> Slight correction: A processes on the VR listens on port 8080, and hands
> any connections to a UNIX script. Calling it a "web server" is way too kind.
>
> Also, you’re just looking at the unix use-case. The Windows agent is close
> sourced the last I checked.
>
> Cloud-init doesn’t feel like the best solution, as the one good thing the
> current setup does is remove the password from the VR after it’s fetched.
>
> Thought there was a bug filed on this, but I don’t see it?
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message